Method for generating secure elliptic curves using an arithmetic-geometric mean iteration

ABSTRACT

Methods for determining whether an arbitrary elliptic curve over a binary field is secure, by using a novel non-converging Arithmetic-Geometric Mean iteration to determine the exact number of points on the curve. The methods provide rapid generation of secure curves for Elliptic-Curve Cryptography by selecting a secure curve from among candidate curves with the new method. The secure curve chosen is a curve whose number of points is found to be divisible by a large prime number. The number of points on candidate curves is computed by a first phase, which lifts the curve to a certain related curve, followed by a second phase, which computes a certain norm that yields the result. The new Arithmetic-Geometric Mean iteration is used for the lifting phase or for the norm phase or for both.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a divisional of U.S. patent application Ser. No.10/172,776, filed Jun. 14, 2002 which claims priority from co-pendingU.S. Provisional Patent Application No. 60/298,612 filed Jun. 15, 2001both entitled METHOD FOR GENERATING SECURE ELLIPTIC CURVES USING ANARITHMETIC-GEOMETRIC MEAN ITERATION which are hereby incorporated byreference, as if set forth in full in this document, for all purposes.

BACKGROUND OF THE INVENTION Field of Invention

The present invention relates to elliptic-curve cryptography (ECC) and,more particularly, to the fast generation of secure elliptic curves overbinary fields.

Since Elliptic-Curve Cryptography (ECC) was proposed in the mid-1980s byKoblitz [Kob1987] and Miller [Mil1987] following the work of Lenstra[Len1987], its security and efficiency have been subject to intensestudy. In recent years, it has become widely accepted as an alternativeto cryptosystems based on factorization or discretelogarithms in finitefields, especially for constrained environments. ECC is now covered bystandards from such bodies as ANSI, IEEE, ISO and NIST. See [ANSI1999],[IEEE2000], [ISO1998] and [NIST2000].

One of the initial steps in protocols based on ECC is to pick a suitablecurve. In public-key ECC, public and private keys typically containinformation identifying such a curve along with certain other data suchas a point on it. To ensure that the ECC system is secure, the curvemust be chosen to have a number of points which is divisibly a largeprime number in order to ensure that the curve is not vulnerable toknown generic methods of attack. To check this, it is necessary to knowthe exact number of points on the curve.

Some special elliptic curves have particular properties which makecomputing the number of points on them easy, or which acceleratearithmetic operations occurring in cryptographic protocols. However suchspecial curves have repeatedly been found to be vulnerable to specificmethods of attack.

The most striking example is curves of trace one for which polynomialtime attacks were discovered independently by Smart [Sma1999],Satoh-Araki [SA1998] and Semaev [Sem1998]. Supersingular curves andcurves of trace two were broken in sub-exponential time by Menezes,Okamoto and Vanstone [MOV1991] and by Frey and Ruck [FR1994]. Curveswith many automorphisms. These include curves defined over small fieldsas proposed by Koblitz, and some complex-multiplication curves (see U.S.Pat. Nos. 5,272,755, 5,351,297 and 5,497,423.) are vulnerable toexponential-time attacks which are faster than generic attacks, see[Har1998], [WZ1998], [GLV1998] and DGM1999].

Gaudry, Hess and Smart [GHS2000] have shown that some curves definedover composite extension fields are also weak. Thus in order to ensuresecurity, the base field should be chosen to be a prime field or anextension of prime degree.

These results suggest that to maximize security one must avoid choosingcurves from particular families of curves with special properties orextra structure and instead examine arbitrary candidate curves, ideallychosen at random, to find one whose number of points is divisible by alarge prime number. This procedure first became feasible with the SEAmethod for point-counting due to Schoof [Sch1985], [Sch1995], Elkies[Elk1998] and Atkin [Atk1988]. If desired, one may also check that theresulting curve does not accidentally fall into a known family ofvulnerable curves (a very rare occurrence).

Finding such a secure curve requires testing many candidates. Candidatecurves may be prefiltered by rejecting some whose numbers of points canbe determined in advance to be divisible by certain small divisors, asdone by Lercier in [Ler1997]. However even with this strategy, findingsecure curves using the SEA method was a slow process. Johnson andMenezes [JM1999] recently described it as a “complicated and cumbersometask” requiring “a few hours on a workstation” for 200 bits.

It was possible to work around this difficulty to a certain extent byprecomputing a limited number of secure curves in advance and thendeploying those curves widely. For instance, this is common practicewith several of the curves described by the U.S. National Institute ofStandards and Technology [NIST2000]. However such a practice is deemedrisky by experts [INRIA2000], in part because of the actual choice ofcurves and in part because any discovery of methods of attack against awidely-deployed curve would have widespread implications.

An ability to generate new secure elliptic curves is deemed to be highlydesirable. For instance in U.S. Pat. No. 6,141,420, Vanstone, et al.write:

-   -   “The elliptic curve cryptography method has a number of        benefits. First, each person can define his own elliptic curve        for encryption and decryption, which gives rise to increased        security. If the private key security is compromised, the        elliptic curve can be easily redefined and new public and        private keys can be generated to return to a secure system. In        addition, to decrypt data encoded with the method, only the        parameters for the elliptic curve and the session key need be        transmitted.”

While in theory it is easy to incorporate a new curve into an ECCsystem, in practice it remained difficult to generate new secure curvesdynamically. Recently a partial solution to this problem was provided bySatoh's method for point-counting [Sat2000] and by Fouquet, Gaudry andHarley's extension of it to the practically useful case of binaryfields, see [FGH2000] and also [Skj2000], [UPU2001]. This allowed securecurves to be generated more rapidly than had been done previously[FGH2001].

The present invention comprises a new Arithmetic-Geometric Mean (AGM)method for point-counting which is significantly faster than those inthe prior art and allows secure curves to be generated very quickly sothat, for instance, this can be done at will by users of ECC systems.For instance a secure 163-bit curve, whose number of points is two timesa prime number, can presently be generated in two seconds on averageusing a certain workstation (Alpha, 750 MHz) and a 239-bit curve takeseight seconds. Furthermore the new method can be implemented with asmall amount of program memory and of random-access memory so that it issuitable for constrained devices such as a Personal Digital Assistant ormobile telephone.

Note that several applications of converging AGM iterations are known inthe art for use with non-binary fields (see [HM1989]) whereas thepresent invention involves a non-converging iteration for use withbinary fields. Note also that the present method can be extended to somehyperelliptic curves by combining it with ideas described in [BM1988].

A particular advantage of the new method for environments with highsecurity requirements, is that it is now practical to generate securecurves locally and never reveal them to third parties. For instancecommunicating parties may initially share a secret curve, or each ofthem may generate the same shared secret curve by selecting it from apseudo-random sequence initialized with a seed value which is a sharedsecret constructed using a standard protocol such as Diffie-Hellman(U.S. Pat. No. 4,200,770). With ECC techniques based on publicly knowncurves, an eavesdropper who listens in on ECC transactions can attemptto attack them by using certain computations on the curves. However aneavesdropper who does not even know which curve is used for a particulartransaction will have no such avenue of attack. One of the principaladvantages of ECC over competing cryptosystems such asRivest-Shamir-Adleman (U.S. Pat. No. 4,405,829) is that it draws highlevels of security from much smaller keys. With the technique justdescribed, security is further enhanced while maintaining small keys.

BRIEF SUMMARY OF THE INVENTION

An object of the present invention is to provide a new method fordetermining the exact number of points on an arbitrary elliptic curvedefined over a binary field.

A second object of the present invention is to thereby enable the rapidgeneration of secure elliptic curves for use in elliptic-curvecryptography by making use of the new point-counting method.

A third object of the present invention is to ensure that the methodsdescribed herein be implementable in devices which may be constrained inthe amount of program memory available or in the amount of random-accessmemory available or in the processing power available or somecombination of these.

To these ends, the present invention provides a new method forpoint-counting which is significantly faster than prior art methods,while being efficient in terms of program size and memory usage. The newmethod comprises two phases:

The first phase, called lifting, consists of a procedure which takes asinput a given elliptic curve over a binary field and, by certaintechniques described below, produces as output a precise approximationof a certain related elliptic curve.

The second phase consists of a procedure which takes as input the liftedelliptic curve and computes, by certain techniques described below, thenorm of a related quantity in such a way as to determine the number ofpoints of the initially given curve.

The inventive steps of this new method, relative to methods known fromprior art, include use of the AGM iteration in new techniques forimplementing either or both of the above phases efficiently. Furtherdetails of the new method will become readily apparent from the detaileddescription below.

The new method can be embodied in several forms:

In one form, the first phase is implemented using the new AGM methoddescribed below and the second phase is implemented using any othermeans for norm computation, such as one existing in prior art.

In another form, the first phase is implemented using any standard meansfor curve lifting, such as one existing in prior art, and the secondphase is implemented using the new AGM method described below.

In another form, both phases are implemented using the new AGM methoddescribed below.

In practice these forms may be embodied as program code such as a Clanguage program running on a general purpose microprocessor (as is thecase for existing prototypes at the time of filing). Another envisagedembodiment is as a program running on a constrained device such as asmartcard chip. Another envisaged embodiment is a hardware design,either a dedicated design implementing the entire method or a designproviding hardware assistance for some critical portions of it.

The result of a process using the new present invention is the number ofpoints on a given elliptic curve. It takes the tangible form of aninteger value stored in registers or memory cells of a device carryingout the process.

To generate a secure curve quickly, the present invention is appliedrepeatedly to a sequence of candidate curves. The candidates mayoptionally be prefiltered using an early-abort strategy such as one ofthose known from prior art. A brief outline is given next for purposesof exposition. Some details are omitted as being analogous to detailsknown in the art for use with other point-counting methods. See[Ler1997], [MP1998] or [FGH2001].

A sequence of candidate curves over a binary field is generated by anyappropriate means, such as by choosing curves randomly orpseudo-randomly.

An early-abort strategy may be applied to select from this sequence asub-sequence of curves with improved likelihood of being secure. To dothis, some of the curves which are not secure are filtered out bydetermining that their numbers of points are divisible by certain smalldivisors.

The numbers of points on the selected curves are computed with the newAGM method.

The number of points on each selected curve is checked to determine ifit is divisible by a sufficiently large prime number for the curve to bedeemed secure.

One may also check at any stage whether each curve falls into a knownfamily of weak curves.

As a particular example, one may accept curves whose number of points istwo times a large prime number (note that the number of points is alwayseven). In such a case one could filter out curves whose number of pointsis divisible by 4, 3, 5 or 7 before applying the new AGM method forpoint-counting.

Various modifications will occur to those skilled in the art. Forinstance one could also accept curves whose number of points is fourtimes a large prime number. In such a case, pairs consisting of curvesand their twisted curves may be handled simultaneously as described in[MP1998].

The final result of a process for generating secure elliptic curvesusing the new AGM method is one or more coefficients defining the curve.These coefficients take the tangible form of bit-string values stored inregisters or memory cells of a device carrying out the process.

In one embodiment the invention provides a method for generating acryptographic key for use in a digital processing system, the methodcomprising analyzing points on an elliptic curve by using anon-converging arithmetic geometric mean calculation; and deriving acryptographic key from the analysis.

The foregoing and other features and advantages of the present inventionwill become apparent from the detailed description given below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart of a sequence of steps in a first phase ofcomputation; and

FIG. 2 is a flowchart of a sequence of steps in a second phase ofcomputation.

DETAILED DESCRIPTION OF THE INVENTION

The present invention provides a new method for determining the exactnumber of points on an arbitrary elliptic curve defined over a binaryfield i.e., a finite field of characteristic two. The followingdescribes preferred embodiments of this method.

Several abstract structures are defined for the purposes of exposition.However they each have a concrete representation in a deviceimplementing the invention.

Define Z.sub.2 (the symbol .sub. denotes a subscript) to be the ring of2-adic integers i.e., normal integers considered modulo successivepowers of two. Define f(x) to be a polynomial of degree d withcoefficients in Z.sub.2 that has it's leading coefficient equal to oneand that is irreducible modulo 2. Let q be 2ˆd (the symbol ˆdenotestaking a power). Define Z.sub.q to be the ring of polynomials overZ.sub.2 considered modulo f(x). Note that Z.sub.q is of characteristiczero.

Concretely, elements in Z.sub.2 and in Z.sub.q are represented to someworking precision in a device implementing the invention. An element inZ.sub.2 is represented to precision n by storing the first n bits of itsvalue in an array of n bits in the natural way. An element in Z.sub.q isrepresented to precision n by storing it's coefficients in an array of delements, each of which is an element in Z.sub.2 to precision n. Forefficiency purposes, f(x) can be chosen to be sparse, for instancehaving 3 or 5 coefficients equal to one and the others all equal tozero. Other representations are clearly possible.

Define F.sub.q to be the binary field of q elements with therepresentation that follows naturally by considering Z.sub.q modulo 2.Further details relating to representation issues and similar areomitted, as they are conventional and well known in the art.

As is usual, the equation of an ordinary elliptic curve over the binaryfield F.sub.q can be put into the form:yˆ2+x*y=xˆ3+cwith coefficient c in F.sub.q, by taking the quadratic twist of thecurve if necessary.

The input to the new AGM method of point-counting is the coefficient cspecifying an ordinary elliptic curve. The new method makes use of thefollowing steps. It employs variables A, B, C and T, which are inZ.sub.q, to a certain working precision. Working to precision ((d+1).div. 2)+4 is sufficient (the symbol .div. denotes truncated division).

The arithmetic operations employed below operate modulo f(x) so thatthey are significantly more complicated than ordinary numericaloperations, however methods for computing them are well known in theart.

The first phase computes a lifted curve as illustrated in FIG. 1 and asfollows:

-   -   1. Variable C is chosen to be any value that coincides with c,        modulo 2. This is done by simply filling in arbitrary bits.    -   2. Variable A is set to the initial value 1+8*C.    -   3. Variable B is set to the initial value 1.    -   4. The following steps are repeated in a loop ((d+1).div. 2)−1        times:        -   4a. Variable T is set to the product A*B modulo f(x).        -   4b. Variable A is set to the value (A+B)/2.        -   4c. Variable B is set to the square root of T modulo f(x).        -   (end of loop)

The initialization in step 2 can be made more accurate, for instance bysetting A to 1+8+Cˆ8−32*Cˆ16. In step 4c, there is a choice of sign tobe made in the square root. The sign should be chosen to ensure that Bremains equal to 1 modulo 4. Then it may be observed that the values ofA and B both remain equal to 1 modulo 4 and remain equal to each othermodulo 8.

Note that each loop iteration in step 4 computes the arithmetic andgeometric means of A and B, but unlike other known applications of theAGM iteration, the values of A and B do not converge to a single value.

Steps 1 to 4 constitute the first phase of the point-counting algorithm.The output is the elliptic curve over Z.sub.q given by the followingequation:yˆ2=x*(x−Aˆ2)*(x−Bˆ2)which is the canonical lift of the initially given curve, or else aconjugate of this lift. To improve efficiency in this phase, the workingprecision can initially be small, say 5 bits, and be gradually increasedby one bit per loop iteration.

Note that in one form of the present invention, this first phase can bereplaced by a different method for lifting, including those described insuch prior art as reference [Sat2000]. In such a case, the lifted curvecan be given by an equation above and the second phase is done with theAGM.

The second phase is illustrated in FIG. 2 and as follows.

-   -   5. Variable C is set to A.    -   6. The following steps are repeated in a loop d times:        -   6a. Variable T is set to the product A*B modulo f(x).        -   6b. Variable A is set to the value (A+B)/2.        -   6c. Variable B is set to the square root of T modulo f(x).        -   (end of loop)    -   7. Variable T is set to C/A modulo f(x).        -   (Note that T will then be found to be an element in            Z.sub.2).    -   8. Integer variable r is set to the unique integer with absolute        value at most 2ˆ(1+d/2), and equal to 1 modulo 4 and equal to T        to precision ((d+1).div. 2)+2.

The final output is q+1−r, which is the number of points on the givencurve including the point at infinity. In cases where the number ofpoints on the twisted curve is desired instead, the output is to bereplaced by q+1+r.

Steps 5 to 8 constitute the second phase of the point-countingalgorithm. Steps 5 to 7 compute the norm of the value that C/A wouldhave after the first iteration of loop 6. Then step 8 computes the exactvalue of the trace of the curve.

Note that in one form of the present invention the first phase is donewith the AGM, and this second phase can be replaced by a differentmethod for computing this norm, such as one existing in prior art or themethod very recently described by Professor Satoh in [Sat2001].

While the present invention has been described in connection with aspecific embodiment, various modifications will occur to those skilledin the art without departing from the spirit of what is describedherein.

Certain specific steps may be replaced by steps that can be seen to beequivalent by those skilled in the art, and such equivalent steps arealso implied. For example, the two-variable AGM iterations describedabove can easily be replaced with one-variable iterations of the form:Set S to (1+S)/2 divided by the square root of S.

Table I, below, lists various references referred to in thisspecification as follows: TABLE I [ANSI1999]: American NationalStandards Institute. “Public Key Cryptography for the Financial ServicesIndustry: The Elliptic Curve Digital Signature Algorithm.” ANSI X9.62(1999). [Atk1992]: A. Oliver L. Atkin. “The number of points on anelliptic curve modulo a prime.” NMBRTHRY mailing list (1992). Archivedat http://listserv.nodak.edu/scripts/wa.exe?A0=nmbrthry [BM1988]:Jean-Benoit Bost, Jean-Francois Mestre “Moyennearithme'tico-ge'ometrique et pe'riodes des courbes de genre 1 et 2.”Gazette des Mathematiciens. Vol. 38 (1988), pp. 36-64. [DGM1999]: IvanDuursma, Pierrick Gaudry, Franc,ois Morain. “Speeding up the discretelog computation on curves with automorphisms.” In: Advances inCryptology - ASIACRYPT ′99. Lecture Notes in Computer Science Vol. 1716(1999), pp. 103-121. [GLV1998]: Robert Gallant, Robert Lambert, Scott A.Vanstone. “Improving the parallelized Pollard lambda search on binaryanomalous curves.” (1998). To appear in Mathematics of Computation.[Elk1998]: Noam Elkies. “Elliptic and modular curves over finite fieldsand related computational issues.” Computational Perspectives on NumberTheory. AMS/International Press (1998), pp. 21-76. [FGH2000]: MireilleFouquet, Pierrick Gaudry, Robert Harley. “An extension of Satoh'salgorithm and its implementation.” Journal of the Ramanujan MathematicalSociety. Vol. 15 (2000), pp. 281-318. [FGH2001]: Mireille Fouquet,Pierrick Gaudry, Robert Harley “Finding Secure Curves with the Satoh-FGHAlgorithm and an Early-Abort Strategy.” In: Advances in Cryptology -Eurocrypt 2001. Lecture Notes in Computer Science Vol. 2045 (2001), pp.14-29. [FR1994]: Gerhard Frey, Hans-Georg Ru''ck. “A remark concerningm-divisibility and the discrete logarithm in the divisor class group ofcurves.” Mathematics of Computation. Vol. 62, #206 (1994), pp. 865-874.[GHS2000]: Pierrick Gaudry, Florian Hess, Nigel P. Smart. “Constructiveand destructive facets of Weil descent on elliptic curves.” TechnicalReport CSTR-00-016, University of Bristol (2000). [Har1998]: RobertHarley. “Elliptic Curve Discrete Logarithms Project, ECC2K-95.” (1998).Available at http://cristal.inria.fr/˜harley/ecd1/ [HM1989]: GuyHenniart, Jean-Franc,ois Mestre. “Moyenne arithme'tico-ge'ometriquep-adique.” Comptes Rendus Acad. Sci. Paris Vol. 308 (1989), pp. 391-395[IEEE2000]: Institute of Electrical and Electronics Engineers. “StandardSpecification for Public-Key Cryptography” IEEE P1363 (2000).[INRIA2000]: Institut National de Recherche en Informatique et enAutomatique. “Biggest public-key crypto crack ever - INRIA leadsworldwide Internet-distributed calculation.” INRIA press release (2000).Available at http://www.inria.fr/presse/pre67.en.html [ISO1998]:“Information Technology -- Security Techniques - Digital Signatures withAppendix - Part 3: Certificate Based-Mechanisms” ISO/IEC 14888-3 (1998).[JM1999]: Don Johnson, Alfred J. Menezes. “The elliptic curve digitalsignature algorithm (ECDSA).” Technical Report CORR 99-34, University ofWaterloo, (1999). [Kob1987]: Neal Koblitz. “Elliptic curvecryptosystems.” Mathematics of Computation. Vol. 48, #177 (1987), pp.203-209. [Len1987]: Hendrik W. Lenstra Jr. “Factoring integers withelliptic curves.” Annals of Mathematics. Vol. 126 (1987), pp. 649-673.[Ler1997]: Reynald Lercier. “Finding good random elliptic curves forcryptosystems defined over F_{2{circumflex over ( )}n}.” In: Advances inCryptology - EUROCRYPT ′97. Lecture Notes in Computer Science Vol. 1233(1997), pp. 379-392. [Mil1987]: Victor S. Miller. “Use of ellipticcurves in cryptography.” In: Advances in Cryptology - CRYPTO ′86,Lecture Notes in Computer Science Vol. 263 (1987), pp. 417-426.[MOV1991]: Alfred J. Menezes, Tatsuaki Okamoto, and Scott A. Vanstone.“Reducing elliptic curves logarithms to logarithms in a finite field.”In: Proceedings 23rd Annual ACM Symposium on Theory of Computing. ACMPress (1991), pp. 80-89. [MP1998]: Volker Mu''ller, Sachar Paulus. “Onthe Generation of Cryptographically Strong Elliptic Curves.” Preprint(1998). Available athttp://www.informatik.th-darmstadt.de/TI/Mitarbeiter/vmueller.html[NIST2000]: National Institute of Standards and Technology. “DigitalSignature Standard”. FIPS 186-2 (2000). [SA1998]: Takakazu Satoh,Kiyomichi Araki. “Fermat quotients and the polynomial time discrete logalgorithm for anomalous elliptic curves.” Commentarii MathematiciUniversitatis Sancti Pauli. Vol. 47 (1998), pp. 81-92. [Sat2000]:Takakazu Satoh. “The canonical lift of an ordinary elliptic curve over afinite field and its point counting.” Journal of the RamanujanMathematical Society. Vol. 15 (2000) , pp. 247-270. [Sat2001]: TakakazuSatoh. “Asymptotically Fast Algorithm for Computing the FrobeniusSubstitution and Norm over Unramified Extension of p-adic NumberFields.” Preprint available from Saitama University, Japan. [Sch1985]:Rene' Schoof. “Elliptic curves over finite fields and the computation ofsquare roots mod p.” Mathematics of Computation. Vol. 44 (1985), pp.483-494. [Sch1995]: Rene' Schoof. “Counting points on elliptic curvesover finite fields.” Journal de The'orie des Nombres de Bordeaux. Vol. 7(1995), pp. 219-254. [Sem1998]: Igor A. Semaev. “Evaluation of discretelogarithms in a group of p-torsion points of an elliptic curve incharacteristic p.” Mathematics of Computation. Vol. 67, #221 (1998), pp.353-356. [Skj2000]: Berit Skjernaa. “Satoh's algorithm in characteristic2.” (2000). To appear. Copies available athttp://www.imf.au.dk/˜skjernaa/ [Sma1999]: Nigel P. Smart. “The discretelogarithm problem on elliptic curves of trace one.” Journal ofCryptology. Vol. 12 (1999), pp. 193-196. [VPV2001]: FrederikVercauteren, Bart Preneel, Joos Vandewalle. “A Memory Efficient Versionof Satoh's Algorithm.” In: Advances in Cryptology - Eurocrypt 2001.Lecture Notes in Computer Science Vol. 2045 (2001), pp. 1-13. [WZ1998]:Michael J. Wiener, Robert J. Zuccherato. “Faster Attacks on EllipticCurve Cryptosystems.” Selected Areas in Cryptography ′98 Lecture Notesin Computer Science Vol. 1556 (1998), pp. 190-200

The terms and expressions which have been employed here are used forpurposes of description and not of limitation. There is no intention toexclude any equivalents of the various features shown and described. Itshould be understood that various modifications are possible within thescope of the invention. For example, steps in the flowcharts of FIGS. 1and 2 merely show one selection of basic steps for achieving theinvention. Steps can be added to, or taken from, those shown. Further,the steps shown can be modified. In general, many approaches toachieving the functionality of the invention are possible.

Any suitable programming language or technique can be used. For example,object oriented, procedural, artificial intelligence, etc., techniquescan be adopted. The steps can be performed serially or concurrently. Themethods and aspects of the present invention can be practiced in ageneral-purpose computing environment or with distributed, parallel,co-processing, embedded, etc. architectures. Aspects of the inventionneed not be embodied in reprogrammable media steps or functionsdescribed herein can be performed in hardware, software or a combinationof the two. For example, hardware design can includeapplication-specific integrated circuits (ASICs), field-programmablegate arrays (FPGAs), custom or semi custom designs, discrete logic, etc.

It is possible that the present invention can be practiced in other thanelectrical devices. For example, optical, biotechnology,nanoengineering, etc., devices can be employed.

Thus the scope of the invention is to be determined solely by theappended claims.

1-7. (canceled)
 8. A method for generating a cryptographic key for usein a digital processing system, the method comprising analyzing pointson an elliptic curve by using a non-converging arithmetic geometric meancalculation; and deriving a cryptographic key from the analysis.
 9. Themethod of claim 8, further comprising first and second phases, whereinthe first phase includes a lifting procedure, wherein the liftingprocedure includes the following steps: accepting as input a givenelliptic curve over a binary field; and producing as output anapproximation of a related elliptic curve, wherein the related ellipticcurve is derived from the given elliptic curve.
 10. The method of claim9, wherein at least a portion of the steps of the first phase areachieved using an arithmetic-geometric mean approach.
 11. The method ofclaim 9, further comprising wherein the second phase includes aprocedure including the following steps: accepting as input the relatedelliptic curve; computing the norm of a quantity related to the ellipticcurve to determine a number of points on the given curve.
 12. The methodof claim 11, wherein at least a portion of the steps of the second phaseare achieved using an arithmetic-geometric mean approach.
 13. Anapparatus for generating a cryptographic key for use in a digitalprocessing system, the apparatus comprising a digital processor; one ormore instructions stored in a memory for execution by the digitalprocessor, wherein the one or more instructions include instructions forusing a non-converging arithmetic geometric mean calculation to analyzepoints on an elliptic curve and to derive a cryptographic key from theresults of analysis.
 14. A computer data signal embodied in a carrierwave comprising one or more instructions stored in a memory forexecution by the digital processor, wherein the one or more instructionsinclude instructions for using a non-converging arithmetic geometricmean calculation to analyze points on an elliptic curve and to derive acryptographic key from the results of analysis.
 15. A computer-readablemedium including instructions for execution by a digital processor, thecomputer readable medium comprising one or more instructions stored in amemory for execution by the digital processor, wherein the one or moreinstructions include instructions for using a non-converging arithmeticgeometric mean calculation to analyze points on an elliptic curve and toderive a cryptographic key from the results of analysis.